This is a debated question because of some tension in the law. I think to dive into the specifics related to that tension would make my answer both long and boring. So here are some general principles:
• Make sure you identify your Business Associates. You can use this tool to help you identify your Business Associates.
• Make sure you sign a Business Associates Agreement with them. The DHHS has published BAA template which you can find here.
• It is a good idea to have your business associates provide an annual affirmation that they have complied with the regulations, they have not had an incident or breach that they need to report to the CE, that they have conducted or updated their risk analysis and that they have provided training to their employees.
• If a business associate is essential to your business and/or is processing or handling a large amount of the CE’s PHI, then more extensive efforts may need to be made to understand and manage the risks posed by the business associates. Those more extensive efforts may include an audit, on-site visits, a review of their risk analysis or the executive summary, review of training logs, etc.
• For reasons related to that tension mentioned above, I would avoid any requirements that substantially “control” the business associate or dictate how it is to carry out its information security management program. I would avoid requiring particular language or procedures in the policies of the business associates. Do not require them, for example, to have passwords of a certain length or complexity.
